Compliance Activity Records

For foreign companies operating in the Czech Republic, a notice of a compliance inspection from the Czech National Bank (CNB) can be a source of significant concern. This article provides specific answers and a clear guide to the essential compliance and activity records the regulator demands.  As an international law firm ARROWS regularly advises foreign clients on these matters. If you need an English-speaking lawyer in Prague to help you prepare, this guide outlines what you need to know to navigate a CNB inspection successfully.

Need advice on this topic? Contact the ARROWS law firm by email office@arws.cz or phone +420 245 007 740. Your question will be answered by "Mgr. Jáchym Petřík", an expert on the subject.

The CNB's Watchful Eye: Why Every Foreign Business in the Czech Republic is Under Scrutiny

The Czech National Bank is not merely a central bank; it is the primary guardian of the Czech financial market's stability and integrity. Its mandate is twofold: to safeguard the entire financial system from systemic risks and to protect consumers and investors. For any foreign business, from a FinTech startup to a branch of a multinational bank, understanding this role is the first step toward effective compliance.

The CNB's authority is firmly established in Czech law, primarily through the Act on the Czech National Bank (Act No. 6/1993 Coll.) and the Act on Banks (Act No. 21/1992 Coll.). These laws grant the CNB extensive powers to license, regulate, and supervise all financial market participants. For your company, this means that robust compliance is not an administrative option; it is a fundamental condition of your license to operate in this stable and strategically located EU jurisdiction.

Demonstrating adherence to these rules is crucial for maintaining your business's reputation and avoiding severe penalties. The CNB's supervisory strategy is not developed in isolation. It is deeply integrated with international best practices, including the core principles for effective banking supervision issued by the Basel Committee and standards from other global bodies.

Therefore, when the CNB inspects your Czech operations, it is applying a standard recognized across the global financial system, making compliance a matter of international, not just local, importance.

The Two Faces of Supervision: Understanding On-Site vs. Off-Site Inspections

The CNB employs a dual approach to its supervisory activities, combining continuous remote monitoring with targeted, in-depth investigations. Understanding the difference and the relationship between these two methods is key to managing your regulatory risk.

Off-Site Surveillance: The Routine Check-Up

Off-site surveillance is the CNB's constant, data-driven monitoring of your institution's financial health and compliance. It relies on the regular reports and statements your company is legally required to submit, often through the CNB's dedicated SDAT data collection system. This process allows the regulator to analyze your activities against uniform criteria and identify potential risks, anomalies, or deviations from regulatory norms.

It is a mistake to view this reporting as a simple administrative task. The data you submit is meticulously analyzed and directly informs the CNB's risk assessment of your firm. Any inconsistencies, delays, or red flags in your off-site reporting can be a primary trigger for the regulator to initiate a much more intrusive on-site inspection.

On-Site Inspection: The Deep Dive

An on-site inspection (kontrola na místě) is a comprehensive examination conducted directly at your business premises. It is becoming the CNB's principal supervisory tool, particularly for assessing the effectiveness of a firm's internal risk management systems. An inspection is a forensic investigation into your operations, governance, and culture.

Under the Czech Inspection Code (Act No. 255/2012 Coll., the kontrolní řád), CNB inspectors are granted significant powers. They have the right to enter your premises, demand access to any and all documents, data, and systems, and require full cooperation from any employee, from junior staff to the board of directors. Failure to provide this cooperation is a serious offense in itself.

FAQ – Legal tips about The Inspection Process

• How much notice will we get before an on-site inspection?
  While many inspections are planned and included in an annual supervisory program, the CNB has the authority to conduct inspections without prior notification. These are typically triggered by a specific event or a serious concern identified during off-site surveillance. This makes a state of constant readiness essential for your business. Contact us at office@arws.cz.
• What are our rights during an inspection?
  The Inspection Code grants you specific rights. You are entitled to request the inspector's credentials and formal authorization, be present during inspection activities, and file formal objections to the findings in the final inspection report. However, these rights are balanced by an overarching legal obligation to cooperate fully and provide all requested information promptly. Need guidance on your rights? Contact us at office@arws.cz.
• Can we have our lawyer present?
  Yes, and it is highly recommended. Having legal counsel present ensures that your rights are protected, that communication with the inspectors is managed professionally, and that any requests are handled appropriately. ARROWS lawyers regularly represent clients during CNB inspections. For immediate representation during an inspection, email us at office@arws.cz.

The Inspector's Checklist: The Core Compliance Records the CNB Demands to See

When CNB inspectors arrive, their objective is to verify that your compliance systems are not just well-designed but also meticulously documented and consistently implemented. They operate under a simple but strict evidentiary principle.

The Golden Rule: If It’s Not Documented, It Didn’t Happen

For a regulator, undocumented actions, decisions, or controls are considered non-existent. The CNB requires a clear, complete, and reconstructible "audit trail" for all key compliance activities. Your records must tell a coherent story that proves your firm has identified its risks and has taken concrete, documented steps to mitigate them. Vague assurances are insufficient; the CNB demands verifiable proof.

Your Internal Control System (ŘKS): The Blueprint of Your Compliance

The foundation of your defense is your Řídící a kontrolní systém (ŘKS), or Internal Control System. This is more than just a manual; it is the documented architecture of your entire compliance framework. Inspectors will demand to see:

• Organizational Charts and Responsibility Maps: Clear documentation showing the allocation of compliance duties and lines of reporting, from the operational level up to the supervisory board.
• Internal Policies and Procedures: A comprehensive set of written policies covering all relevant areas, including risk management, internal audit, and conduct of business rules.
• Board and Committee Minutes: Verifiable records of meetings where compliance matters, risk assessments, and audit findings were discussed and acted upon by senior management and the board.

Anti-Money Laundering (AML) & CFT Records: Your First Line of Defense

AML and Counter-Financing of Terrorism (CFT) compliance is an area of intense global and local scrutiny. The Czech Republic's record-keeping framework has been identified by international bodies like the Financial Action Task Force (FATF) as an area needing improvement. This means the CNB has a strong incentive to be exceptionally rigorous in its examination of your AML records. You must be prepared to present:

• Written AML/CFT Policy and Risk Assessment: A detailed, up-to-date document tailored to your specific business model, client base, and geographic exposure. A generic, off-the-shelf policy will not suffice.
• Customer Due Diligence (CDD) Records: Complete files for every client, including verified identification documents, documented verification of beneficial ownership, and a clear rationale for the client's risk categorization.
• Enhanced Due Diligence (EDD) Records: For all high-risk clients (e.g., politically exposed persons), you must have extensive documentation of the additional verification steps taken and ongoing monitoring performed.
• Suspicious Activity Reports (SARs): Records of all internal SARs filed by employees and copies of any external reports made to the Czech Financial Analytical Office (FAU).

Transaction & Communication Logs: Proving Prudent Conduct

Under Czech law, particularly the Act on Capital Market Undertakings (Zákon o podnikání na kapitálovém trhu or ZPKT), firms providing investment services have a strict obligation to record and retain communications that are intended to result in a transaction. 

This includes telephone calls (both landline and mobile), emails, video conferences, and other forms of electronic communication. Inspectors will check that you have a robust system to capture, store, and retrieve these records, along with detailed transaction logs sufficient to reconstruct any trade or order.

Employee Training Records: Demonstrating a Culture of Compliance

A compliance policy is ineffective if your employees are not aware of it. The CNB expects to see documented proof that you conduct regular, relevant training for all staff on key compliance topics, especially AML/CFT. These records should include training dates, detailed content of the materials presented, and lists of attendees to demonstrate that compliance is an active, ongoing process embedded in your corporate culture.

Critical Record-Keeping Failures

Risks and Penalties	How ARROWS Helps
Outdated or generic internal AML policies that do not reflect your actual business risks. Penalty: Fines, remedial measures to rewrite the entire system.	Preparation of internal company policies: We draft bespoke policies that pass the CNB's "use test." Need to update your policies? Write to office@arws.cz.
Incomplete Customer Due Diligence (CDD) files (missing ID verification, unclear beneficial ownership). Penalty: Fines up to millions of CZK, reputational damage.	Drafting legally required documentation: We create a robust CDD and client onboarding framework. For immediate assistance, write to us at office@arws.cz.
Failure to record and store client communications related to transactions (e.g., unrecorded mobile phone calls). Penalty: Significant fines for breaching ZPKT (§ 17).	Legal consultations to prevent penalties: We advise on compliant communication systems and policies. Get tailored legal solutions by writing to office@arws.cz.
No documented proof of employee training on AML/CFT procedures. Penalty: CNB will deem your compliance culture ineffective, leading to deeper scrutiny.	Professional training for employees: We provide certified training that creates a defensible record of compliance. To schedule a training session, email us at office@arws.cz.

Beyond the Binder: Proving Your Compliance System is Truly Effective

Having a complete set of documents is only the first step. The CNB conducts a qualitative assessment to determine if your compliance system is genuinely effective in practice. Inspectors are trained to look beyond the paper and test whether your stated policies are truly embedded in your daily operations.

This is often referred to as the "use test". An inspector might, for example, interview a client-facing employee to see if they can explain the firm's procedure for identifying a suspicious transaction. If the employee's answer does not match the written policy, the CNB will conclude that the system is merely formalistic and ineffective, which is a serious finding.

Furthermore, the CNB's supervision is explicitly "forward-looking" and "risk-based". This means they expect your compliance framework to be a dynamic, living system. It must be capable of identifying, assessing, and mitigating not just known, historical risks but also new and emerging threats. 

Their own strategy documents reveal a sophisticated approach that analyzes "inherent risk," the "quality of measures applied," and the resulting "residual risk" Your records, particularly board minutes and risk committee reports, must reflect this proactive risk management process.

A critical component of an effective system is a properly resourced and functionally independent compliance and internal audit department. If the CNB perceives that your compliance officer lacks authority or that the internal audit function is not sufficiently independent from the business units it oversees, it will question the validity of the entire control framework.

Ineffective Compliance Systems

Risks and Penalties	How ARROWS Helps
A passive supervisory board or unclear management responsibilities. Penalty: CNB may rule the entire governance structure is unfit, forcing management changes.	Professional training for management: We educate boards and senior managers on their specific supervisory duties under Czech law. Need to train your leadership? Contact us at office@arws.cz.
An under-resourced or non-independent internal audit/compliance function. Penalty: The CNB will disregard its findings and may impose its own, more costly, external audit.	Legal consultations to prevent penalties: We help structure your compliance function to meet CNB independence and expertise standards. Our lawyers are ready to assist you – email us at office@arws.cz.
Compliance policies that exist on paper but are not followed in practice (failing the "use test"). Penalty: Considered a serious breach of trust; leads to higher fines and more intrusive supervision.	Legal opinions: We conduct pre-inspection audits to identify gaps between your policies and real-world practices. Want to understand your legal options? Email us at office@arws.cz.
Failure to adapt the compliance system to new products or market risks. Penalty: Demonstrates a static, ineffective system; CNB may restrict new business activities.	Contract drafting or review: We ensure that contracts for new products include robust compliance and risk-mitigation clauses from the start. Do not hesitate to contact our firm – office@arws.cz.

Navigating the Maze: How Czech Rules Differ from Your Home Jurisdiction

For international firms, a common mistake is assuming that a compliance strategy that works in another major financial center can be simply replicated in Prague. The Czech regulatory framework, while based on EU directives, has a unique implementation and supervisory culture.

The CNB operates as an integrated supervisor, overseeing both prudential regulation (financial stability) and conduct of business rules under one roof. This differs from models like the UK's dual system, where the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) split these responsibilities. 

This integrated approach means the CNB has a holistic view of your firm and can easily connect, for example, a concern about your business conduct with an examination of your capital adequacy.

These differences mean that local expertise is not just an advantage; it is a necessity. As an international law firm based in Prague, European Union, ARROWS specializes in bridging these regulatory gaps. Our team understands the nuances of the CNB's expectations. Through our ARROWS International network, built over 10 years of cross-border practice, we are perfectly positioned to help you adapt your global compliance framework to meet the specific demands of the Czech market.

It is also important to recognize that financial regulators cooperate internationally. The CNB has formal Memoranda of Understanding (MoU) with its counterparts in other countries, including the UK's FCA and Bank of England. 

These agreements facilitate the sharing of information. A compliance failure identified by the CNB in your Prague office could be communicated to your home-country regulator, potentially triggering scrutiny of your parent company's group-level governance. A problem in the Czech Republic does not always stay in the Czech Republic.

The High Cost of Failure: CNB Penalties, Fines, and Public Reputational Damage

The consequences of failing a CNB inspection or breaching regulatory rules are severe and multi-faceted. The CNB has a broad range of enforcement powers designed to penalize misconduct and compel corrective action.

Financial Penalties

The CNB can levy substantial fines. For certain breaches, penalties can be calculated based on the illicit gain or reach up to 10% of your firm's total net annual turnover. In recent years, the CNB has imposed fines reaching tens of millions of Czech koruna for offenses like unauthorized deposit-taking.

Crucially, the CNB has publicly stated that it believes past fines have not been a sufficient deterrent and that it intends to "tighten its sanctioning policy". This means that relying on historical penalty levels to assess your risk is a dangerous miscalculation; the regulator has explicitly signaled that future fines will be tougher.

Remedial Measures

Beyond fines, the CNB can issue legally binding orders called opatření k nápravě (remedial measures). These can force your company to overhaul its internal systems, restrict or terminate high-risk business activities, or even demand the dismissal of senior managers or board members deemed unfit. In the most serious cases, the CNB can revoke your license, effectively ending your ability to do business in the Czech Republic.

Public Reputational Damage

Perhaps the most lasting consequence is reputational. The CNB is required by law to publish its final penalty decisions on its website, where they remain publicly accessible. This creates a permanent, searchable record of your company's compliance failures, which can be devastating to your brand, client trust, and business relationships.

CNB Enforcement Actions & Sanctions

Risks and Penalties	How ARROWS Helps
Systemic failure in the internal control system identified during an inspection. Penalty: Imposition of remedial measures, forced replacement of management, public censure.	Representation before public authorities: We manage communication with the CNB to negotiate reasonable remedies and protect your reputation. Need legal representation? Write to office@arws.cz.
Failure to report a suspicious transaction to the Financial Analytical Office (FAU). Penalty: Severe fines and potential criminal liability for management.	Preparation of complete AML documentation: We build systems that ensure timely and accurate reporting. For immediate assistance, write to us at office@arws.cz.
Repeated or severe breaches of prudential or conduct rules. Penalty: The ultimate sanction of license revocation and forced exit from the Czech market.	Legal opinions: We provide clear opinions on your regulatory standing to prevent catastrophic failures. Get tailored legal solutions by writing to office@arws.cz.
Inability to defend your actions due to poor records during an administrative proceeding. Penalty: Inability to challenge CNB findings, leading to maximum penalties.	Representation in court: If matters escalate, we provide expert litigation support to defend your interests. Do not hesitate to contact our firm – office@arws.cz.

Your Next Step: An Action Plan for CNB Inspection-Readiness

Facing a CNB inspection can be a daunting prospect, but proactive and thorough preparation is the key to a successful outcome. The central message is clear: do not wait for the inspection notice to arrive. A state of constant readiness is the most effective risk management strategy.

As a leading Czech law firm in Prague, EU, ARROWS provides a complete, end-to-end solution to ensure your business is fully prepared. We recommend a structured approach:

1. Assess Your Position: Begin with a confidential Legal consultation or a preventative legal audit. This will identify any gaps or weaknesses in your current compliance framework before the regulator finds them.
2. Remediate and Strengthen: Based on the audit, our team can assist with the Preparation of internal company policies and the Drafting of legally required documentation, ensuring your records are robust, tailored, and meet the CNB's exacting standards.
3. Embed Compliance Culture: We provide Professional training for your employees and management. This not only fulfills a key regulatory requirement but also creates a defensible record and embeds a true culture of compliance within your organization.
4. Defend Your Interests: Should an inspection occur or escalate, ARROWS provides expert Representation in court or before public authorities, managing all communication and advocating vigorously on your behalf.

To start building your defense and ensure your company is fully prepared for any regulatory scrutiny, do not hesitate to contact our firm. Our lawyers are ready to assist you – email us at office@arws.cz.

FAQ – Most common legal questions about CNB Compliance Records

1. How long must we retain compliance records in the Czech Republic?
The general rule under the Czech AML Act is to retain customer and transaction information for at least 10 years after the end of the business relationship or transaction. However, different retention periods can apply to other types of records. EU directives establish a minimum of five years, but local laws often extend this. For a detailed analysis of your specific record retention obligations, contact our experts at office@arws.cz.

2. Can directors of our foreign parent company be held liable for compliance failures in our Czech branch?
Yes, absolutely. Czech law allows for liability to extend to individuals in management roles, including those at a foreign parent company, particularly if they are found to have neglected their supervisory duties. A robust, well-documented governance structure that clearly defines and delegates responsibilities is essential to mitigate this personal risk. Let us help you structure your governance for full protection by emailing office@arws.cz.

3. We are licensed in another EU country. Does the "EU passport" exempt us from CNB inspections?
No, it does not provide a full exemption. While the EU passporting regime allows you to operate in the Czech Republic, the CNB remains the host-state supervisor responsible for overseeing areas like conduct of business rules and AML/CFT compliance. Your home-state supervisor handles prudential matters, creating a complex system of dual supervision. For a clear legal opinion on your specific supervisory status, please contact us at office@arws.cz.

4. What is the first step we should take to prepare for a potential CNB inspection?
The ideal first step is an independent, preventative legal audit. This confidential review, conducted by our experts, will simulate a CNB inspection and identify any weaknesses in your documentation, procedures, and systems. This gives you the critical advantage of time—allowing you to fix any issues without the threat of regulatory penalties. To arrange a confidential pre-inspection audit for your company, get in touch with our team at office@arws.cz.

5. How does the CNB view the use of new technology (e.g., AI, cloud storage) for compliance and record-keeping?
The CNB is open to technological innovation but expects it to be deployed within a secure and compliant framework. Any new system, whether for automated transaction monitoring or cloud-based record storage, must ensure the continuity, traceability, and explainability of your compliance processes. You must be able to prove to the regulator that the technology is effective and that you have conducted a thorough risk assessment. Need help preparing the necessary documentation for your FinTech solutions? Get tailored legal solutions by writing to office@arws.cz.

Don't want to deal with this problem yourself? More than 2,000 clients trust ARROWS Law Firm, and we have been named Law Firm of the Year 2024. Take a look HERE at our references, and we will be honored to help you solve your problem. The inquiry is free of charge.